[CentOS] C5 recent openssl update breaks mysql SSL connection

Tue Aug 18 10:58:25 UTC 2015
Tony Mountifield <tony at softins.co.uk>

In article <013173C7-6AEC-4C2D-9EB7-84C873C89028 at googlemail.com>,
Leon Fauster <leonfauster at googlemail.com> wrote:
> Am 18.08.2015 um 11:27 schrieb lhecking at users.sourceforge.net:
> > 
> >> Maybe so, but still a side issue. Openssl 0.9.8e was recently updated.
> >> Some change in this update has broken something. I would like to understand
> >> what, and so ought the package maintainers. C5 isn't EOL until March 2017.
> > 
> > rpm -q --changelog openssl-0.9.8e. You weren't clear which version you
> > upgraded from, but you mentioned testing against openssl-0.9.8e-27.el5_10.1
> > (from March 2014, nevertheless), which works.
> > 
> > I would hazard a guess that this is the change causing your problem.
> > 
> > * Fri Jun 26 2015 Tomas Mraz <tmraz at redhat.com> 0.9.8e-36
> > - also change the default DH parameters in s_server to 1024 bits
> > 
> > Here's some more info,
> > 
> > https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/
> > 
> > RH must have backported this fix to 0.9.8e.
> > 
> > There seem to be many reports out there that the openssl update broke mysql,
> > but unfortunately, at a quick glance, they are all about RHEL6/openssl 1.0.1,
> > so you're most likely on your own. I'm quite ignorant of mysql, but it looks
> > like you may be able to get this to work again by changing the cipher in mysql
> > and regenerating your cert.
> > 
> > https://www.howtoforge.com/how-to-set-up-mysql-database-replication-with-ssl-encryption-on-centos-5.4
> > 
> 
> 
> http://lists.centos.org/pipermail/centos/2015-July/153753.html

Cool - that looks like the answer. Just tried it successfully.

Many thanks!

Tony
-- 
Tony Mountifield
Work: tony at softins.co.uk - http://www.softins.co.uk
Play: tony at mountifield.org - http://tony.mountifield.org